06 Apr

Tunnelling through firewalls with SSH

In this tutorial we show how to setup an ssh connection in order to access computers and services behind a firewall.

The topology of the network is as depicted below:

Network schematics for ssh tunnelling through a firewall.

Network schematics for ssh tunnelling through a firewall.

We have a computer (with IP 192.168.1.2) connected to a router, which in turn is connected to the internet. What we want to do is to have access to the desktop (with IP 131.180.123.193) and all the other servers (web, samba and mail). The problem with this network is that the firewall allows only ssh connections over port 22 to the ssh server (with IP 131.180.123.195). Therefore, in order to reach any of the other computers behind the firewall, we need to go through the ssh server.

What I will show here is how to setup an ssh tunnelling connection that allows to connect to these machines.

This tutorial is based on the tutorial by Mike Chirico that can be found here.

Tutorial

We want to be able to ssh to the desktop machineĀ (with IP 131.180.123.193), connect to the web server (with IP 131.180.123.192), access the samba server (with IP 131.180.123.190) and use the mail server (with IP 131.180.123.191). In order to do that we need to tunnel through the ssh server (the only machine we can access directly).

To tunnel traffic through the SSH Server from the *nix laptop to the different machines behind the firewall, create the following ~/.ssh/config file, on the *nix laptop:

Host mytunnel
Hostname 131.180.123.195
         ForwardX11 yes
         User your_username_at_131.180.123.195
         LocalForward 22022 131.180.123.193:22
         LocalForward 22139 131.180.123.190:139
         LocalForward 22080 131.180.123.192:80
         LocalForward 22110 131.180.123.191:110 

Host mytunnel_ssh
HostName localhost
        ForwardX11 yes
        User your_username_at_131.180.123.193
        Port 22022
        HostKeyAlias athens

We have just configured two ssh connections: mytunnel and mytunnel_ssh. The first one is the essential one and the second one is just to simplify the ssh connection to the desktop.

The first thingĀ done there is to specify the ip of the ssh server (Hostname) and the username (User) to use to connect to it. After that, there are four lines starting with LocalForward. What each of these lines does is to redirect any data sent to a port in the laptop to another port in another computer. For example the first line:

LocalForward 22022 131.180.123.193:22

states that all data sent to port 22022 of the laptop will be sent (over the ssh connection to the ssh server) to port 22 of the machine with IP 131.180.123.193. This means that whenever the ssh connection mytunnel is open, sending data to port 22022 on the laptop is “the same” as sending data to port 22 of the machine with IP 131.180.123.193. The same for the samba, web and mail servers, but on ports 22139, 22080 and 22110, respectively.

To open this tunnelling connection we simply need to insert in the terminal the following line:

To make an ssh connection to the desktop with IP 131.180.123.193 there are two options. The longest one is to open the previous tunnelling connection:

ssh mytunnel

and then in a new terminal window open the ssh connection to the desktop:

ssh mytunnel_ssh

A simpler and shorter way is to add the following line to your .bash_profile or .bashrc file:

alias desktop_ssh='ssh -N -f -q mytunnel;ssh mytunnel_ssh'

Now to connect to the desktop you just need to type in our terminal:

desktop_ssh